Hack and protect your Android app

Transcript

1. Hack and protect your apps ! Droidcon Paris 2013 1st

   floor - 11:55~12:45

2. Welcome to Droidcon Paris !

3. Sylvain Galand Ingénieur R&D @Genymobile Hack and protect your apps

4. Deeper in the Dark Side... Reverse engineering, decompilation, and red

   lightsaber

5. Hack an app ! AdBlock+ DEMO

6. SDK • Extract .apk • Retrieve some of the ressources

   apktool • Retrieve all the ressources (.xml) • Smali code dex2jar and Java Decompiler • Most of the code in Java What can we do ?

7. How can we fight the Dark Side ? The Force,

   obfuscation, and proguard

8. Forward locking • apk not directly extractable Proguard • Obfuscation

   • Optimisation Some other ways... • .dex encryption • aapt modified • logic on server • ... How can I protect my sources ?

9. Protect an app ! Proguard DEMO

10. When should I protect my sources ? Whenever you want

    ! Just keep in mind that you should have a good reason. But keep in mind that... .. one motivated guy with enough ressources can break anything.

11. How all of this can help me ? Chewbie, opportunism,

    audit & more

12. Audit your build ! • Check if the code is

    up-to-date • Verify obfuscation ! • Find some build issues

13. Can we eplore a device's framework ? • Yes, we

    can. • Can help you to debug your app sometimes • Discover manufacturers private APIs • And they are really invasive...

14. Android decompiler • http://www.android-decompiler.com 1,000$ full, interractive solution. Automation API

    Dexter • http://dexter.dexlabs.org Upload your apk for an analysis Various • http://www.nothink.org/sandbox_and_utilities.php ◦ Android This is a business !

15. • Be sure to protect your code if necessary •

    You can use those tools on your own .apk • Do not hesitate to check device/framework code • Do not fight the hackers by annoying your users Conclusion

16. Questions ? Comments ?

17. Thank you ! Thank you !

18. @sylvaingaland http://slvn.fr/+ #SavingSharks Let's stay in touch !